I’m wondering if I really need OpenID Connect to provide authentication on top of OAuth2. It seems to me if I generate JWTs (JWE) as my access token and I store user claims, roles/permissions, etc. in the access token, then the OpenID Connect's id token isn't needed. Resource servers can validate the access token on each request. Alternatively, I could keep the access token small and just have it store a session id and populate that session with claims/roles/permission. Also I could put an expiration value in session and support sliding expiration, etc. and not even deal with refresh tokens. Am I missing what OpenID Connect is really about?
Update
I just realized I need to clarify my question a bit. If I built a site where I allow users to login via Google, I see how OpenID Connect is necessary. I'm allowing someone access to my site based on some OAuth authorization flow which doesn't prove authentication happened. But if I'm building a bunch of services and I just want to issue tokens to access these service resources, isn't OAuth enough? And if I wanted these tokens to contain roles/claims so I can make authorization decisions in my services, isn't a JWT containing roles/claims enough? If feels like OpenID Connect wouldn't be necessary in this case.
